Blizzard Entertainment Hack Hits Battle.net Users

By Brian Prince |
Posted 2012-08-12

Video game maker Blizzard Entertainment revealed Aug. 9
its security team had discovered an "unauthorized and illegal access"
to its internal network Aug. 4.

So far, there is no indication that financial information such
as credit card numbers or customers' real names were compromised. According to
the company, the intruder was able to get access to email addresses for global
Battle.net users outside of China as well as answers to personal security
questions for users in North America, Latin America, Australia, New Zealand and
Southeast Asia. The attack also yielded information related to mobile and
dial-in authenticators.

"Based on what we currently know, this information
alone is not enough for anyone to gain access to Battle.net accounts," Mike
Morhaime, CEO of the company, said in a statement.

"We also know that cryptographically scrambled versions
of Battle.net passwords (not actual passwords) for players on North American
servers were taken," he said. "We use Secure Remote Password protocol
(SRP) to protect these passwords, which is designed to make it extremely
difficult to extract the actual password, and also means that each password
would have to be deciphered individually. As a precaution, however, we
recommend that players on North American servers change their password."

The company said
in a FAQ that it waited five days to notify the public because it wanted to
determine what data was stolen and the nature of the attack. The company has
contacted law enforcement to investigate the matter.

"In the coming days, we'll be prompting players on
North American servers to change their secret questions and answers through an
automated process," Morhaime said.

"Additionally, we'll prompt mobile authenticator users to update their
authenticator software. As a reminder, phishing emails will ask you for
password or login information. Blizzard Entertainment emails will never ask for
your password."

Tim Keanini, nCircle Chief Research Officer, said users
should create secret questions with security in mind.

"For example, your mother's maiden name is a
ridiculously weak question because the answer is so readily available. Anyone
can get this on almost any genealogy Website," he said. "I can pick a
half dozen other metadata points about the average Internet user that are just
as easy to access, including where you were born and your favorite movie. Instead,
users should make these question and answer pairs somewhat nonsensical. For
example, don't use the answer 'blue' for your favorite color. Instead, use a
non-color related response."

Blizzard did not offer any information about how exactly the
attack occurred.